Btiteam / XBTIT Forum

BTITeam => [BTITeam] Comunications => Topic started by: Lupin on April 08, 2010, 10:46:38 PM

Title: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 08, 2010, 10:46:38 PM: A possible exploit (SQL injection) was discover in the code, please update your trackers ASAP, hackers could retrieve password hash, then accessing your site like you!

Affected version:
- ALL version < revision 584

Vulnerables files:
- users.php
- torrents.php

Manual patch:

open users.php
find and replace
Code: [Select]
// getting order if (isset($_GET["order"])) $order=htmlspecialchars($_GET["order"]); else $order="joined"; if (isset($_GET["by"])) $by=htmlspecialchars($_GET["by"]); else $by="ASC";with
Code: [Select]
$order_param=3; // getting order if (isset($_GET["order"])) { $order_param=(int)$_GET["order"]; switch ($order_param) { case 1: $order="username"; break; case 2: $order="level"; break; case 3: $order="joined"; break; case 4: $order="lastconnect"; break; case 5: $order="flag"; break; case 6: $order="ratio"; break; default: $order="joined"; } } else $order="joined"; if (isset($_GET["by"])) { $by_param=(int)$_GET["by"]; $by=($by_param==1?"ASC":"DESC"); } else $by="ASC";find and replace
Code: [Select]
list($pagertop, $pagerbottom, $limit) = pager(20, $count, $scriptname."&" . $addparams.(strlen($addparam)>0?"&":"")."order=$order&by=$by&");with
Code: [Select]
list($pagertop, $pagerbottom, $limit) = pager(20, $count, $scriptname."&" . $addparams.(strlen($addparam)>0?"&":"")."order=$order_param&by=$by_param&");find and replace
Code: [Select]
$userstpl->set("users_sort_username", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=username&by=".($order=="username" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_NAME"]."</a>".($order=="username"?$mark:"")); $userstpl->set("users_sort_userlevel", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=level&by=".($order=="level" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:"")); $userstpl->set("users_sort_joined", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=joined&by=".($order=="joined" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:"")); $userstpl->set("users_sort_lastaccess", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=lastconnect&by=".($order=="lastconnect" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:"")); $userstpl->set("users_sort_country", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=flag&by=".($order=="flag" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:"")); $userstpl->set("users_sort_ratio", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=ratio&by=".($order=="ratio" && $by=="ASC"?"DESC":"ASC")."\">".$language["RATIO"]."</a>".($order=="ratio"?$mark:""));with
Code: [Select]
$userstpl->set("users_sort_username", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=1&by=".($order=="username" && $by=="ASC"?"2":"1")."\">".$language["USER_NAME"]."</a>".($order=="username"?$mark:"")); $userstpl->set("users_sort_userlevel", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=2&by=".($order=="level" && $by=="ASC"?"2":"1")."\">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:"")); $userstpl->set("users_sort_joined", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=3&by=".($order=="joined" && $by=="ASC"?"2":"1")."\">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:"")); $userstpl->set("users_sort_lastaccess", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=4&by=".($order=="lastconnect" && $by=="ASC"?"2":"1")."\">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:"")); $userstpl->set("users_sort_country", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=5&by=".($order=="flag" && $by=="ASC"?"2":"1")."\">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:"")); $userstpl->set("users_sort_ratio", "<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=6&by=".($order=="ratio" && $by=="ASC"?"2":"1")."\">".$language["RATIO"]."</a>".($order=="ratio"?$mark:""));save and close.

open torrents.php
find and replace
Code: [Select]
// getting order if (isset($_GET["order"])) $order=htmlspecialchars(mysql_real_escape_string($_GET["order"])); else $order="data"; $qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order); if (isset($_GET["by"])) $by=htmlspecialchars(mysql_real_escape_string($_GET["by"])); else $by="DESC"; list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count, $scriptname."&" . $addparam.(strlen($addparam)>0?"&":"")."order=$order&by=$by&");with
Code: [Select]
// getting order $order_param=3; if (isset($_GET["order"])) { $order_param=(int)$_GET["order"]; switch ($order_param) { case 1: $order="cname"; break; case 2: $order="filename"; break; case 3: $order="data"; break; case 4: $order="size"; break; case 5: $order="seeds"; break; case 6: $order="leechers"; break; case 7: $order="finished"; break; case 8: $order="dwned"; break; case 9: $order="speed"; break; default: $order="data"; } } else $order="data"; $qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order); $by_param=2; if (isset($_GET["by"])) { $by_param=(int)$_GET["by"]; $by=($by_param==1?"ASC":"DESC"); } else $by="DESC"; list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count, $scriptname."&" . $addparam.(strlen($addparam)>0?"&":"")."order=$order_param&by=$by_param&");find and replace
Code: [Select]
$torrenttpl->set("torrent_pagertop",$pagertop); $torrenttpl->set("torrent_header_category","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=cname&by=".($order=="cname" && $by=="ASC"?"DESC":"ASC")."\">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:"")); $torrenttpl->set("torrent_header_filename","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=filename&by=".($order=="filename" && $by=="ASC"?"DESC":"ASC")."\">".$language["FILE"]."</a>".($order=="filename"?$mark:"")); $torrenttpl->set("torrent_header_comments",$language["COMMENT"]); $torrenttpl->set("torrent_header_rating",$language["RATING"]); $torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE); $torrenttpl->set("torrent_header_waiting",$language["WT"]); $torrenttpl->set("torrent_header_download",$language["DOWN"]); $torrenttpl->set("torrent_header_added","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=data&by=".($order=="data" && $by=="ASC"?"DESC":"ASC")."\">".$language["ADDED"]."</a>".($order=="data"?$mark:"")); $torrenttpl->set("torrent_header_size","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=size&by=".($order=="size" && $by=="DESC"?"ASC":"DESC")."\">".$language["SIZE"]."</a>".($order=="size"?$mark:"")); $torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE); $torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]); $torrenttpl->set("torrent_header_seeds","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=seeds&by=".($order=="seeds" && $by=="DESC"?"ASC":"DESC")."\">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:"")); $torrenttpl->set("torrent_header_leechers","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=leechers&by=".($order=="leechers" && $by=="DESC"?"ASC":"DESC")."\">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:"")); $torrenttpl->set("torrent_header_complete","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=finished&by=".($order=="finished" && $by=="ASC"?"DESC":"ASC")."\">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:"")); $torrenttpl->set("torrent_header_downloaded","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=dwned&by=".($order=="dwned" && $by=="ASC"?"DESC":"ASC")."\">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:"")); $torrenttpl->set("torrent_header_speed","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=speed&by=".($order=="speed" && $by=="ASC"?"DESC":"ASC")."\">".$language["SPEED"]."</a>".($order=="speed"?$mark:"")); $torrenttpl->set("torrent_header_average",$language["AVERAGE"]);with
Code: [Select]
$torrenttpl->set("torrent_pagertop",$pagertop); $torrenttpl->set("torrent_header_category","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=1&by=".($order=="cname" && $by=="ASC"?"2":"1")."\">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:"")); $torrenttpl->set("torrent_header_filename","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=2&by=".($order=="filename" && $by=="ASC"?"2":"1")."\">".$language["FILE"]."</a>".($order=="filename"?$mark:"")); $torrenttpl->set("torrent_header_comments",$language["COMMENT"]); $torrenttpl->set("torrent_header_rating",$language["RATING"]); $torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE); $torrenttpl->set("torrent_header_waiting",$language["WT"]); $torrenttpl->set("torrent_header_download",$language["DOWN"]); $torrenttpl->set("torrent_header_added","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=3&by=".($order=="data" && $by=="ASC"?"2":"1")."\">".$language["ADDED"]."</a>".($order=="data"?$mark:"")); $torrenttpl->set("torrent_header_size","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=4&by=".($order=="size" && $by=="DESC"?"1":"2")."\">".$language["SIZE"]."</a>".($order=="size"?$mark:"")); $torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE); $torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]); $torrenttpl->set("torrent_header_seeds","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=5&by=".($order=="seeds" && $by=="DESC"?"1":"2")."\">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:"")); $torrenttpl->set("torrent_header_leechers","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=6&by=".($order=="leechers" && $by=="DESC"?"1":"2")."\">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:"")); $torrenttpl->set("torrent_header_complete","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=7&by=".($order=="finished" && $by=="ASC"?"2":"1")."\">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:"")); $torrenttpl->set("torrent_header_downloaded","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=8&by=".($order=="dwned" && $by=="ASC"?"2":"1")."\">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:"")); $torrenttpl->set("torrent_header_speed","<a href=\"$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=9&by=".($order=="speed" && $by=="ASC"?"2":"1")."\">".$language["SPEED"]."</a>".($order=="speed"?$mark:"")); $torrenttpl->set("torrent_header_average",$language["AVERAGE"]);save and close.

your tracker should be patched

Alternatively you can download attached files and replace yours (maybe backup b4) with the new.
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: djblackout on April 08, 2010, 11:23:01 PM: i just uploadet the files to my server how to chek if its stable now ?
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: terra3 on April 09, 2010, 05:21:10 AM: i patched the users.php but when i patched torrents.php i get this error when trying to reinstall gold & silver torrents hack:

D:\xampp\htdocs\terraj3/torrents.php Sorry search string: "if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";..." (first 20 chars) was not found) Ask Hack's Developer

please advise..and thanks for the fix...
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: en3r0 on April 09, 2010, 09:24:06 AM: This will break the Sticky torrents mod if you do not do it manually, or reapplying the mod I think is the official way to do things.

Thanks for the fix!
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: yanchev on April 09, 2010, 12:58:34 PM: Thanks for the fix.
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: terra3 on April 09, 2010, 01:34:36 PM: Quote from: terra3 on April 09, 2010, 05:21:10 AM
i patched the users.php but removed hacks that would be effected(only 1) but when i patched torrents.php i get this error when trying to reinstall gold & silver torrents hack:

D:\xampp\htdocs\terraj3/torrents.php Sorry search string: "if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";..." (first 20 chars) was not found) Ask Hack's Developer

please advise..and thanks for the fix...
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: friendly on April 09, 2010, 01:55:51 PM: that can be fixed m8 the xml searches for

Code: [Select]
if (isset($_GET["by"])) $by=htmlspecialchars(mysql_escape_string($_GET["by"])); else $by="DESC";
but now the code is

Code: [Select]
if (isset($_GET["by"])) { $by_param=(int)$_GET["by"]; $by=($by_param==1?"ASC":"DESC"); } else $by="DESC";
just edit the xml to match the new code ;)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: terra3 on April 09, 2010, 02:16:03 PM: phone rang here, just got off of it. that worked, thanks m8 :) much obliged...
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: friendly on April 09, 2010, 02:24:07 PM: no probs m8 happy to help :)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: terra3 on April 09, 2010, 03:10:46 PM: this has been bugging me friendly. my site still isnt up to par without the thanks hack, this error:

D:\xampp\htdocs\terraj3/style/xbtit_default/torrent.details.tpl Sorry search string: "<tr>
<td align="right" class="header"><tag:language.INFO_HASH /></td>
<td class="lista" align="center"..." (first 20 chars) was not found)

the thanks.php is in root and i commented out the path from the xml, manually installed it, also uninstalled 'fore the sec patch.

please advise and thanks very much for your assistance.. :)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 10, 2010, 12:00:59 AM: the best way is applying manually the patch on already modified torrents.php (with hacks installed)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: pedro444 on April 12, 2010, 12:23:31 AM: tremoço. CORREÇÃO DE SEGURANÇA dá o tracker CyBerFuN xBTiT totalmente MODDED
é porque eu enfectado..thanks :-[
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: robbee on April 13, 2010, 01:07:16 PM: how do i combine the torrents.php fix with the gold torrents mod? the part i have to replace looks like this:

Code: [Select]
// getting order if (isset($_GET["order"])) $order=htmlspecialchars(mysql_escape_string($_GET["order"])); else $order="data"; $qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order); /*Mod by losmi - gold mod*/ /*Mod by losmi - sticky mod Operation #4*/ if (isset($_GET["by"])) $by=htmlspecialchars(mysql_escape_string($_GET["by"])); else $by="DESC"; list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count, $scriptname."&" . $addparam.(strlen($addparam)>0?"&":"")."order=$order&by=$by&");
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 13, 2010, 10:34:04 PM: you can do it like explained on 1st post, just ignore
Code: [Select]
/*Mod by losmi - gold mod*/ /*Mod by losmi - sticky mod Operation #4*/from your code
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: alein on April 14, 2010, 07:51:20 AM: I use btit 1.4.8 any security problem on this version?
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 14, 2010, 11:57:45 PM: yes, I guess btit versions are affected by same vulnerabilities
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Delius on April 20, 2010, 03:08:15 AM: I made the changes but pager in users.php didn't work properly (because $by_param isn't available in all cases). Then I made this change, from:

Code: [Select]
if (isset($_GET["by"])) { $by_param=(int)$_GET["by"]; $by=($by_param==1?"ASC":"DESC"); } else $by="ASC";
to:

Code: [Select]
if (isset($_GET["by"])) { $by_param=(int)$_GET["by"]; $by=($by_param==1?"ASC":"DESC"); } else { $by_param=1; $by="ASC"; }
Is this ok?

Sorry my english and thanks a lot for your work :)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: Lupin on April 20, 2010, 04:27:17 AM: yes, sorry I forgot this :)
Title: Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
Post by: punsikorn on February 18, 2019, 11:38:13 PM: Thanks for the fix!
gclub casino (https://gclub-slotonline.net/)